Installation and ConfigurationSecurity

Encrypted Credentials in Custom Applications

View as Markdown

HEAVY.AI can accept a set of encrypted credentials for secure authentication of a custom application. This topic provides a method for providing an encryption key to generate encrypted credentials and configuration options for enabling decryption of those encrypted credentials.

Generating an Encryption Key

Generate a 128- or 256-bit encryption key and save it to a file. You can use https://acte.ltd/utils/randomkeygen to generate a suitable encryption key.

Configuring the Web Server

Set the file path of the encryption key file to the encryption-key-file-path web server parameter in heavyai.conf:

$[web]
$encryption-key-file-path = “path/to/file”

Alternatively, you can set the path using the --encryption-key-file-path=path/to/file command-line argument.

Generating Encrypted Credentials

Generate encrypted credentials for a custom application by running the following Go program, replacing the example key and credentials strings with an actual key and actual credentials. You can also run the program in a web browser at https://play.golang.org/p/nNBsZ8dhqr0.

1package main
2
3import (
4    "crypto/aes"
5    "crypto/cipher"
6    "crypto/rand"
7    
8    "fmt"
9    "io")
10    
11// 1. Replace example key with encryption string
12var key = "v9y$B&E(H+MbQeThWmZq4t7w!z%C*F-J"
13
14// 2. Replace strings "username", "password", "dbName"with credentials
15var stringsToBeEncrypted = []string{
16    "username",
17    "password",
18    "dbName",
19}
20
21// 3. Run program to see encrypted credentials in console
22func main() {
23    for i := range stringsToBeEncrypted {
24        encrypted, err := EncryptString(stringsToBeEncrypted[i])
25        if err != nil {
26            panic(err)
27        }
28        fmt.Printf("%s => %s\n", stringsToBeEncrypted[i],encrypted)
29    }
30}
31
32func EncryptString(str string) (encrypted string,err error) {
33    keyBytes := []byte(key)
34    
35    block, err := aes.NewCipher(keyBytes)
36    if err != nil {
37        panic(err.Error())
38    }
39    aesGCM, err := cipher.NewGCM(block)
40    if err != nil {
41        panic(err.Error())
42    }
43    nonce := make([]byte, aesGCM.NonceSize())
44    if _, err = io.ReadFull(rand.Reader, nonce); err!= nil {
45        panic(err.Error())
46    }
47    strBytes := []byte(str)
48    
49    cipherBytes := aesGCM.Seal(nonce, nonce, strBytes,nil)
50    
51    return fmt.Sprintf("%x", cipherBytes), err
52}